lkft/linux-mainline-master - v6.15-rc3-1-g9d7a0577c9db - log-parser-test/kasan-bug-kasan-slab-use-after-free-in-kmem_cache_double_destroy

Date

April 20, 2025, 11:09 p.m.

Environment
x15
x86

[   61.872985] ==================================================================
[   61.884216] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1e8/0x398
[   61.892059] Read of size 1 at addr cc22f400 by task kunit_try_catch/271
[   61.898742] 
[   61.900238] CPU: 1 UID: 0 PID: 271 Comm: kunit_try_catch Tainted: G    B   W        N  6.15.0-rc3 #1 NONE 
[   61.900299] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   61.900299] Hardware name: Generic DRA74X (Flattened Device Tree)
[   61.900329] Call trace: 
[   61.900329]  unwind_backtrace from show_stack+0x18/0x1c
[   61.900390]  show_stack from dump_stack_lvl+0x70/0x90
[   61.900421]  dump_stack_lvl from print_report+0x158/0x528
[   61.900451]  print_report from kasan_report+0xdc/0x118
[   61.900482]  kasan_report from __kasan_check_byte+0x34/0x3c
[   61.900512]  __kasan_check_byte from kmem_cache_destroy+0x24/0x1ec
[   61.900543]  kmem_cache_destroy from kmem_cache_double_destroy+0x1e8/0x398
[   61.900604]  kmem_cache_double_destroy from kunit_try_run_case+0x22c/0x5a8
[   61.900634]  kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128
[   61.900665]  kunit_generic_run_threadfn_adapter from kthread+0x464/0x810
[   61.900726]  kthread from ret_from_fork+0x14/0x20
[   61.900756] Exception stack(0xf258bfb0 to 0xf258bff8)
[   61.900756] bfa0:                                     00000000 00000000 00000000 00000000
[   61.900787] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   61.900817] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
[   61.900848] 
[   62.019500] Allocated by task 271:
[   62.022918]  kasan_save_track+0x30/0x5c
[   62.026794]  __kasan_slab_alloc+0x60/0x68
[   62.030822]  kmem_cache_alloc_noprof+0x17c/0x36c
[   62.035491]  __kmem_cache_create_args+0x1c0/0x2c0
[   62.040222]  kmem_cache_double_destroy+0xc0/0x398
[   62.044982]  kunit_try_run_case+0x22c/0x5a8
[   62.049194]  kunit_generic_run_threadfn_adapter+0xc4/0x128
[   62.054718]  kthread+0x464/0x810
[   62.057983]  ret_from_fork+0x14/0x20
[   62.061584] 
[   62.063079] Freed by task 271:
[   62.066162]  kasan_save_track+0x30/0x5c
[   62.070037]  kasan_save_free_info+0x3c/0x48
[   62.074249]  __kasan_slab_free+0x40/0x50
[   62.078186]  kmem_cache_free+0x100/0x470
[   62.082153]  kobject_put+0x21c/0x678
[   62.085754]  kmem_cache_double_destroy+0x168/0x398
[   62.090576]  kunit_try_run_case+0x22c/0x5a8
[   62.094818]  kunit_generic_run_threadfn_adapter+0xc4/0x128
[   62.100341]  kthread+0x464/0x810
[   62.103607]  ret_from_fork+0x14/0x20
[   62.107208] 
[   62.108703] The buggy address belongs to the object at cc22f400
[   62.108703]  which belongs to the cache kmem_cache of size 132
[   62.120513] The buggy address is located 0 bytes inside of
[   62.120513]  freed 132-byte region [cc22f400, cc22f484)
[   62.131286] 
[   62.132781] The buggy address belongs to the physical page:
[   62.138397] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c22f
[   62.145660] flags: 0x0(zone=0)
[   62.148742] page_type: f5(slab)
[   62.151916] raw: 00000000 c7001000 00000122 00000000 00000000 80100010 f5000000 00000000
[   62.160064] raw: 00000000
[   62.162689] page dumped because: kasan: bad access detected
[   62.168304] 
[   62.169799] Memory state around the buggy address:
[   62.174621]  cc22f300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.181213]  cc22f380: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.187774] >cc22f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.194335]            ^
[   62.196899]  cc22f480: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.203460]  cc22f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.210052] ==================================================================

Metadata Full log Test run details

[   34.392619] ==================================================================
[   34.403775] BUG: KASAN: slab-use-after-free in kmem_cache_double_destroy+0x1bf/0x380
[   34.411524] Read of size 1 at addr ffff888100ac7540 by task kunit_try_catch/258
[   34.418836] 
[   34.420337] CPU: 1 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc3 #1 PREEMPT(voluntary) 
[   34.420347] Tainted: [B]=BAD_PAGE, [N]=TEST
[   34.420349] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021
[   34.420353] Call Trace:
[   34.420355]  <TASK>
[   34.420357]  dump_stack_lvl+0x73/0xb0
[   34.420362]  print_report+0xd1/0x650
[   34.420366]  ? __virt_addr_valid+0x1db/0x2d0
[   34.420371]  ? kmem_cache_double_destroy+0x1bf/0x380
[   34.420374]  ? kasan_complete_mode_report_info+0x64/0x200
[   34.420379]  ? kmem_cache_double_destroy+0x1bf/0x380
[   34.420382]  kasan_report+0x141/0x180
[   34.420386]  ? kmem_cache_double_destroy+0x1bf/0x380
[   34.420391]  ? kmem_cache_double_destroy+0x1bf/0x380
[   34.420394]  __kasan_check_byte+0x3d/0x50
[   34.420399]  kmem_cache_destroy+0x25/0x1d0
[   34.420404]  kmem_cache_double_destroy+0x1bf/0x380
[   34.420407]  ? __pfx_kmem_cache_double_destroy+0x10/0x10
[   34.420411]  ? finish_task_switch.isra.0+0x153/0x700
[   34.420416]  ? __switch_to+0x5d9/0xf60
[   34.420420]  ? dequeue_task_fair+0x166/0x4e0
[   34.420426]  ? ktime_get_ts64+0x83/0x230
[   34.420431]  kunit_try_run_case+0x1a2/0x480
[   34.420436]  ? __pfx_kunit_try_run_case+0x10/0x10
[   34.420440]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   34.420445]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   34.420450]  ? __kthread_parkme+0x82/0x180
[   34.420454]  ? preempt_count_sub+0x50/0x80
[   34.420459]  ? __pfx_kunit_try_run_case+0x10/0x10
[   34.420463]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   34.420467]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   34.420471]  kthread+0x334/0x6f0
[   34.420475]  ? trace_preempt_on+0x20/0xc0
[   34.420480]  ? __pfx_kthread+0x10/0x10
[   34.420484]  ? _raw_spin_unlock_irq+0x47/0x80
[   34.420489]  ? calculate_sigpending+0x7b/0xa0
[   34.420493]  ? __pfx_kthread+0x10/0x10
[   34.420497]  ret_from_fork+0x3e/0x80
[   34.420501]  ? __pfx_kthread+0x10/0x10
[   34.420506]  ret_from_fork_asm+0x1a/0x30
[   34.420512]  </TASK>
[   34.420513] 
[   34.604192] Allocated by task 258:
[   34.607596]  kasan_save_stack+0x45/0x70
[   34.611436]  kasan_save_track+0x18/0x40
[   34.615276]  kasan_save_alloc_info+0x3b/0x50
[   34.619547]  __kasan_slab_alloc+0x91/0xa0
[   34.623561]  kmem_cache_alloc_noprof+0x123/0x3f0
[   34.628187]  __kmem_cache_create_args+0x169/0x240
[   34.632893]  kmem_cache_double_destroy+0xd5/0x380
[   34.637600]  kunit_try_run_case+0x1a2/0x480
[   34.641786]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   34.647186]  kthread+0x334/0x6f0
[   34.650426]  ret_from_fork+0x3e/0x80
[   34.654006]  ret_from_fork_asm+0x1a/0x30
[   34.657940] 
[   34.659439] Freed by task 258:
[   34.662499]  kasan_save_stack+0x45/0x70
[   34.666336]  kasan_save_track+0x18/0x40
[   34.670177]  kasan_save_free_info+0x3f/0x60
[   34.674361]  __kasan_slab_free+0x56/0x70
[   34.678289]  kmem_cache_free+0x249/0x420
[   34.682213]  slab_kmem_cache_release+0x2e/0x40
[   34.686660]  kmem_cache_release+0x16/0x20
[   34.690702]  kobject_put+0x17e/0x450
[   34.694330]  sysfs_slab_release+0x16/0x20
[   34.698351]  kmem_cache_destroy+0xf0/0x1d0
[   34.702457]  kmem_cache_double_destroy+0x14e/0x380
[   34.707250]  kunit_try_run_case+0x1a2/0x480
[   34.711435]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   34.716835]  kthread+0x334/0x6f0
[   34.720069]  ret_from_fork+0x3e/0x80
[   34.723655]  ret_from_fork_asm+0x1a/0x30
[   34.727617] 
[   34.729114] The buggy address belongs to the object at ffff888100ac7540
[   34.729114]  which belongs to the cache kmem_cache of size 208
[   34.741534] The buggy address is located 0 bytes inside of
[   34.741534]  freed 208-byte region [ffff888100ac7540, ffff888100ac7610)
[   34.753617] 
[   34.755114] The buggy address belongs to the physical page:
[   34.760703] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100ac6
[   34.768765] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   34.776423] flags: 0x200000000000040(head|node=0|zone=2)
[   34.781760] page_type: f5(slab)
[   34.784901] raw: 0200000000000040 ffff888100042000 dead000000000122 0000000000000000
[   34.792647] raw: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000
[   34.800389] head: 0200000000000040 ffff888100042000 dead000000000122 0000000000000000
[   34.808221] head: 0000000000000000 0000000080190019 00000000f5000000 0000000000000000
[   34.816049] head: 0200000000000001 ffffea000402b181 00000000ffffffff 00000000ffffffff
[   34.823882] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   34.831758] page dumped because: kasan: bad access detected
[   34.837330] 
[   34.838820] Memory state around the buggy address:
[   34.843616]  ffff888100ac7400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.850842]  ffff888100ac7480: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[   34.858060] >ffff888100ac7500: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   34.865281]                                            ^
[   34.870592]  ffff888100ac7580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.877813]  ffff888100ac7600: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.885038] ==================================================================

Metadata Full log Test run details

Metadata

Failure - x15 - gcc-13-lkftconfig-kunit

Failure - x86 - gcc-13-lkftconfig-kunit